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Abstract. The Diophantine Equation Hard Problem (DEHP) is a po- 

n 

tential cryptographic problem on the Diophantine equation (7 = X] ^i^i- 

A proper implementation of DEHP would render an attacker to search for 
private parameters amongst the exponentially many solutions. However, 
an improper implementation would provide an attacker exponentially 
many choices to solve the DEHP. The AA ^j-cryptosystem is an asym- 
metric cryptographic scheme that utilizes this concept together with the 
factorization problem of two large primes and is implemented only by 
using the multiplication operation for both encryption and decryption. 
With this simple mathematical structure, it would have low computa- 
tional requirements and would enable communication devices with low 
computing power to deploy secure communication procedures efficiently. 
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1 Introduction 



The discrete log problem (DLP) and the elliptic curve discrete log problem 
(ECDLP) has been the source of security for cryptographic schemes such as 
the Diffie Hellman key exchange procedure, El-Gamal cryptosystem and elliptic 
curve cryptosystem (ECC) respectively [B], [TO]. As for the world renowned RSA 
cryptosystem, the inability to find the e-th root of the ciphertext C modulo N 
from the congruence relation C = M'^(mod N) coupled with the inability to 
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factor N = pq for large primes p and q is its fundamental source of security 
[TT| . Recently, suggestions have been made that the ECC is able to produce the 
same level of security as the RSA with shorter key length. Thus, ECC should 
be the preferred asymmetric cryptosystem when compared to RSA [l6j . Hence, 
the notion "cryptographic efficiency" is conjured. That is, to produce an asym- 
metric cryptographic scheme that could produce security equivalent to a certain 
key length of the traditional RSA but utilizing shorter keys. However, in cer- 
tain situations where a large block needs to be encrypted, RSA is the better 
option than ECC because ECC would need more computational effort to un- 
dergo such a task ^14i . Thus, adding another characteristic toward the notion of 
"cryptographic efficiency" which is it must be less "computational intensive" . As 
such, in order to design a state-of-the-art public key mechanism, the above two 
characteristics must be adhered to apart from other well known security issues. 
In 1998 the cryptographic scheme known as NTRU was proposed with better 
"cryptographic efficiency" relative to RSA and ECC [9 . Much effort has been 
done to push NTRU to the forefront [8 . 

The cryptographic scheme in this paper is based on what is defined as the 
Diophantine Equation Hard Problem (DEHP). It is coupled together with the 
well known integer factorization problem of two large primes. The DEHP is a new 
form of cryptographic problem based on the Diophantine equation of the form 

n 

U = J2 ViXi. The authors propose that the DEHP as outlined in this paper 

1=1 

is also another cryptographic problem that has secure cryptographic qualities 
coupled with the above described "cryptographic efficiency" qualities. 

The layout of this paper is as follows. In Section 2, the Diophantine Equa- 
tion Hard Problem (DEHP) will be described. The mechanism of the AA ^- 
cryptosystem will be detailed in Section 3. Continuing in Section 4, will be dis- 
cussion on the security features of this cryptosystem. In Section 5 lattice based 
attacks on the scheme is discussed. Section 6 will be devoted in discussing the 
consequences of improper design utilizing the DEHP. That is, the possibility 
of succumbing to a passive adversary attack. The underlying principle and re- 
duction proofs regarding the intractability of the scheme is proposed in Section 
7. A numerical example of the scheme as well as an illustration of the DEHP 
will also be given in this section. Finally, we conclude the paper by comparing 
"cryptographic efficiency" characteristics against RSA, ECC and NTRU schemes 
in Section 8. 

2 The Diophantine equation hard problem (DEHP) 

The DEHP is based upon the linear diophantine equation which is of the form 

n 

U — ViXi. The following definitions would give a precise idea regarding the 
DEHR^ 

n 

Definition 1. Let U — '}2 ^i^i where the integers U and {Vi}^^^ are known. 

i=l 

We define the sequence of integers {a;*}"^j^ as the preferred integers used to obtain 



U . The sequence {x*}"^^ are particular elements from the set of solutions of 

n 

U = J2 ^i^i tf^^t contains infinitely many elements. The problem to determine 

the sequence {x*}"^-^ is known as the DEHP. 

Definition 2. From Definition 1, for n = 2,V\ = 1 and V2 = I the DEHP is 
known as the AA ff-DEHP-2 (see Section 7). 

n 

Definition 3. The Diophantine equation given by U — ^ ViX* is defined to be 

i=l 

prf-solved when the sequence of integers {x*y^^-^ are found in order to obtain U. 
The DEHP or the AA^-DEHP-2 is solved when U is prf-solved. 

Example 1. Let xi = 6143959510671614040, 0:2 = 6143959507200090613 be the 
preferred solutions for the equation 12287919017871704653 = xi + X2 where 
X\ and X2 are 2n-bits long (i.e. this example n = 32). An attacker would 
be faced with the AA ^-DEHP-2 (see Section 7) of determining the preferred 
integer xi = i in order to determine the remaining preferred integer x^ = 
12287919017871704653 - t that form the pr/-solution set for the above Dio- 
phantine equation. Since it is known that x\ is 64-bits long, the possible values 
of t resides within the interval (2^^, 2^* — 1). In other words, there are 2®^ possible 
values that xi might be. 

3 The AA ^-Cryptosystem 

We will now define parameters needed for the renewed AA^-cryptosystem. The 
communication model is between two parties A (Along) and B (Busu). 

Definition 4. The ephemeral secret keys for Along are three integers. The in- 
tegers ai,a2 and are 2n-bits long. The relation between the integers is: 

ai + 02 = O(morf a\ — 02) (1) 

and 

02 + ^3= v{mod oi — 02) (2) 
where v is 0.8125n-bits long. 

Definition 5. Let p and q be two prime numbers ofn-bit length. Along's public 

keys are given by 

CAi = ai + 02 = M (3) 



eA2 = ai + as (4) 
Definition 6. Along's private key is given by 

dAi =ax-a2=p (5) 



dA2 = V 



(6) 



Definition 7. Busu will generate two ephemeral session keys: ki and k2- The 
keys ki and k2 are ^-bits long. 

Definition 8. The message that Busu will relay to Along is a {^)-bit integer 
m. 

Definition 9. Busu will produce the following ciphertext: 



Proposition 1. {C{mod dAi)){mod dA2) = m. 



Proof. We begin with: 
because k2V + m < dAi- 

because m < dA2-0 



C = kiCAi + k2eA2 + m 



(C(mod dAi)) = k2V + m 
Then, 

{k2V + rn(mod ^^2)) = rn 



(7) 

(8) 
(9) 



3.1 The AA p - public key cryptography scheme 

We will now discuss the AA ^-cryptosysteni. It is as follows: the scenario is that 
Busu will send an encrypted message to Along. Along will provide Busu with his 
public key pair cai and eA2- Busu intends to send the integer plaintext P = m 
as in Definition 8. Busu will then proceed to generate the ciphertext C. Then 
Busu transmits the ciphertext C to Along. Upon receiving the ciphertext from 
Busu, Along by Proposition 1, can retrieve the integer plaintext P = m. 



4 Security Features 

In this section we will focus on the obvious objective of an attacker. That is 
to retrieve the plaintext or the private key or both. Disciission woiild begin by 
discussing the objective of trying to obtain the plaintext from the ciphertext 
followed by the objective to obtain the private key embedded within the public 
key. 

4.1 To obtain the plaintext from the ciphertext 

As defined in Definition 9, the plaintext resides within C. Thus, the attacker 
has to pr/-solve C via the preferred integers k\ and k2 the AA ^-DEHP-1 (see 
Section 7) given by 

C = kieAi + k2eA2 + m (10) 

The ability to determine the keys k\ or k2 would infer that the attacker has also 
the ability to determine m in the first instance. 



4.2 To obtain the private key from the public key via the 
Diophantine equations 

The attacker has to prf -solve cai and e^2 via the preferred integers 01,02 and 
03 the A A ^-DEHP-2 (see Section 7). In congruent with the ability to obtain the 
plaintext from the ciphertext as discussed above, the ability to determine the 
keys ai , 02 and 03 would infer that the attacker has also the ability to determine 
m in the first instance. 

5 Lattice based attacks 

In this section wc put forward two possible attacks via lattices and show that 
why such attacks will not yield any information detrimental to the scheme. 

5.1 Attack with Coppersmith method in the univariate case 

We will reproduce Coppersmith's theorem for the benfit of the reader. 

Theorem 1. ( Coppersmith) Let N be an integer of unknown factorization, which 
has a divisor b > . Furthermore, let fp {x) be an univariate, monic polynimial 
of degree S. Then we can find all solutions xq for the equation fp = 0{mod b) 
with 

|< -N--^ 

in polynomial time in {logN,5, i). 

Case 1. Wc begin by observing cai = pq where p and q are of equal length. 
Suppose p is prime integer that satisfies p > {pqY ■ It is clear that j3 = \. 
Let us now observe the polynomials x — 6^2 and cai = pq which have a small 
common root v modulo p. By the polynomial fp{x) = — eA2X + {pq) we have 

the parameter 6 = 2, The parameter ^N^~^ is an (^)-bit integer while the 
parameter w is a 0.8125n-bit integer. Thus, the bound is much smaller than the 
root. 

Case 2. A more efficient method would be just to observe the polynomial fp{x) = 

x — eA2- Hence, 5 = 1. The parameter ^N~^~'^ is an (^)-bit integer while the 
parameter v is a. 0.8125n-bit integer. Thus, the bound is still much smaller than 
the root. 

5.2 Gaussian heuristic 

We will look at the the lattice L spanned by (1, 0, el), (0, 1, e2), (0, 0, C). Observe 
that the vector V = (fcl, k2, — m) is in L. If V is short, then the LLL algorithm 
will be able to detect V. This is critical since by the usage of the vector V = 
{kl, k2, —m) it is obvious that the length of m is dominant when compared to 



kl and k2 hence length of V is approximately m. And by the above information 
m is certainly dominant in the vector V=(kl,k2,-m). Now let us check whether 

V is really short or not. The Gaussian heuristic for the lattice L is given by: 

One can see that cr(L) is approximately (^)-bits, while the length of the vector 

V is (^)-bits. The Gaussian heuristic is much smaller than the length of the 
vector V. Thus, the vector V is not considered to be short and cannot be detected 
by the LLL algorithm. 

6 Improper design via the DEHP 

It is important to note that, an improper design of an asymmetric cryptosystem 
via the DEHP would lead to succesful passive adversary attacks. To illustrate 
this fact, we will produce the following two examples. 

6.1 A key exchange mechEinism bcised on the DEHP 

Let Along and Busu utilize private 2X2 non-singular matrices A and B respec- 
tively. A base generator G will be made public. It is a 2 X 2 singular matrix. 
The parameter = AG and E^ = GB will be exchanged between Along 
and Busu. Then Along will compute EAB = [A]Eb, while Busu will compute 
EBA = E^[B]. Now both parties have the same key (i.e. key exchange). If 
the assumption is that the attacker has to obtain either A or B from either 
E/i or Eb this would be the DEHP, since G is singular. However, an attacker 
could still compute A A but A G = AG and as a result is able to com- 
pute A Eb = EAB. Thus rendering the scheme insecure. The following is a 
numerical example. 

Example 2. Let 
Along will generate 

(l4 28) 

and Busu will generate 

_/25 28\ 
^^-1^50 56 j 

The shared key computed by both parties is 



An attacker intercepting could construct the matrix 



It could be observed that AGB = A GB. Hence, a passive adversary attack has 
been successfully executed. 




6.2 Improper integer size 



Observe the equation given by 



eA = ai + a2gi 



(12) 



where ba and gi are public parameters. Let gi be of length 2n-bits, while the 
private parameters a\ and a2 are n-bits long. Because of this improper choice of 
size, one can obtain 



7 The Underlying Security Principle 

We will now observe the underlying security principles that the j4^;3-cryptosystem 
is based upon. 

7.1 The 

Determine the preferred integer either [ki or ^2) such that m = C—kiCAi (mod 6^2) 
or m = C — ^26^2 (mod e^i). 

7.2 The AA0-DEUP-2 

Determine the preferred integers (01,02,03) belonging to the public keys e^i 



7.3 The integer factorization problem 

Let p and q be two large primes. Prom bai = ai +a2 = pq obtain d^i = P- 



02 = floor { — ) 



(13) 



and 6^2- 



7.4 Security reduction 

Proposition 2. AA^-DEHP-2 =t Factoring bai =pq- 



Proof. Let 6i be an oracle that factors the product of primes. Call di{eAi) to 
obtain p and q. Then we are able to construct ai = ^^^^"'"^ , 02 — and 
03 = 6^12 — oi. Hence, the preferred integers (ai, 02, 03) are obtained Thus, AAp- 
DEHP-2 <T Factoring cai = pq- Let 62 be an oracle that obtains the preferred 
integers (01,02,03). Then obtain p — ai — a2 and = q. Thus, Factoring 
eAi = pq <T AAj3-DERP-2. Hence, AA/3-DEHP-2 =t Factoring e^i = pq. □ 

Proposition 3. Decryption <t Factoring cai — pq- 

Proof. Let 9i be an oracle that factors the product of primes. Call 6*1(6^11) to 
obtain p and q. Then determine v = eA2{ modp). Now, decryption can occur. □ 

7.5 Indistinguishability 

Proposition 4. The AAfj public key cryptosystem is IND-CPA. 

Proof. The AAp public key cryptosystem is a probabilistic cryptosystem. A 
probabilitic encryption scheme is IND-CPA P^. Thus the AAf^ public key cryp- 
tosystem is IND-CPA. □ 

7.6 Example 

We will now provide a clear numerical illustration of the AA^-cryptosystem for 
n ~ 32-bits. Along will generate the following secret keys: ai = 6143959510671614040, 
02 = 6143959507200090613, 03 = 5113460585870913605 and v = 66857602. 
Along's public keys are CAi = 12287919017871704653 and 6^2 = 11257420096542527645. 
Observe that cai is product of two 32-bit primes [p = 3471523427 and q = 
3539633039). Along's private keys are d^i = 3471523427 and dA2 = 66857602. 
In the meantime Busu will generate fci = 33 and fc2 = 32. The message is M = 
39152991. The ciphertext generated by Busu is C = 765738770679166291180. 
Finally, (C(mod dAi))(mod ^^2) = 39152991.D 

8 Conclusion 

The AA^-cryptosystem has the capacity to become a novel public key cryptosys- 
tem whose hard mathematical problem is based upon the difficulty of the DEHP 
and the integer factorization problem of two large primes. Just like the RSA, 
where the e-th root problem is considered much more difficult than factoring 
the product of primes, the DEHP could also be considered much more difficult 
than factoring the product of primes (due to the exponential number of possibil- 
ities for the private parameters) . The minimum key length for optimum security 
should be set to n = 512-bits. On another note, it is known that the implemen- 
tation of RSA and ECC is 0{n^) operations where n is the length of the message 
block [5],[8],[?]. By this fact we can have the following table of comparison. 



Algorithm 


Encryption Speed 


Decryption Speed 


Expansion 


RSA 


0{n^) 




1 - 1 


ECC 






1 - 2 (2 parameter ciphertext) 


NTRU 


0{n^) 




varies 




0{n') 


0{n') 


1 - 2.7 



Table 2 

Encryption / decryption speed and message expansion table for message block of length n 

One can also note another advantage. That is, since encrypt and decrypt pro- 
cedures are the basic arithmetic operation of multiplication, the scheme could 
encrypt messages of large block size with ease. As a result this algorithm is ad- 
vantageous relative to RSA or ECC (because of better speed) and ECC (because 
of less computational effort to encrypt /decrypt messages of large block size). 
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